Open in app

Sign in

Write

Sign in

OSCP Hazırlık Rehberi 2

IPsec
2 min readJul 5, 2021

Enumeration

NMAP

# Alive hosts

nmap -sn 10.0.0.0/24

# scan the 1024 most common ports, run OS detection, run default nmap scripts

nmap -A -oA nmap <targetip>

# Scan more deeply, scan all 65535 ports on $targetip with a full connect scan

nmap -v -sT <targetip> -p-

# more options

nmap -sV -sC -v -A <targetip> -p- nmap -sT -sV -A -O -v -p 1–65535 <targetip>

# my preference nmap -sV -sC -v -oA output <targetip>

nmap -p- -v <targetip>

SMB

Samba, Port 139 ve 445 kullanıcının diğer makinelerle dosya paylaşmasını sağlayan bir hizmettir. komut satırı FTP istemcisi ile aynı şekilde çalışır, dosyalara kimlik bilgileri olmadan bile göz atılabilir.

# Share List:

smbclient — list <targetip> 
smbclient -L <targetip>

# Check SMB vulnerabilities:

nmap — script=smb-check-vulns.nse <targetip> -p445

# basic nmap scripts to enumerate shares and OS discovery

nmap -p 139,445 192.168.1.1/24 — script smb-enum-shares.nse smb-os-discovery.nse

# Connect using Username

smbclient -L <targetip> -U username -p 445

# Connect to Shares

smbclient \\\\<targetip>\\ShareName 
smbclient \\\\<targetip>\\ShareName -U john

# enumarete with smb-shares, -a “do everything” option

enum4linux -a 192.168.1.120

# learn the machine name and then enumerate with smbclient

nmblookup -A 192.168.1.102 smbclient -L <server_name> -I 192.168.1.105

# rpcclient — Connect with a null-session (only works for older windows servers)

rpcclient -U james 10.10.10.52 
rpcclient -U “” 192.168.1.105
(press enter if asks for a password) 
rpcclient $> srvinfo 
rpcclient $> enumdomusers 
rpcclient $> enumalsgroups domain 
rpcclient $> lookupnames administrators 
rpcclient> querydominfo rpcclient> enumdomusers 
rpcclient> queryuser john

# scan for vulnerabilities with nmap

nmap — script “vuln” <targetip> -p139,445

SMTP

# telnet or netcat connection

nc <targetip> 25

VRFY root

# Check for commands

nmap -script smtp-commands.nse <targetip>

Port 111-RPC

#Rpcbind can help us look for NFS-shares. So look out for nfs. Obtain list of services running with RPC:

rpcbind -p <targetip> rpcinfo –p x.x.x.x

# using nmap, see which port NFS is listening

locate *rpc*.nse nmap — script rpcinfo.nse <targetip> -p 111

NFS

# to find the public share

locate *nfs*.nse nmap — script nfs-showmount.nse <targetip>

# mount the share to a folder under /tmp

mkdir /tmp/nfs /sbin/mount.nfs <targetip>:/home/box /tmp/nfs

--

--

IPsec

Written by IPsec

4 Followers

CW-Bug Researcher

Help

Status

About

Careers

Blog

Privacy

Terms

Text to speech

Teams